Re: Fully programmatic authorization map

Thu, 20 May 2010 13:42:39 -0700
I'm running activemq embedded within our app, and configuring it programmatically (rather than using xml files). Here is how I configure the authorization plugin. I had to look at some of the source to figure this stuff out, as I unfortunately couldn't find it documented anywhere. Hopefully this pertains to what you are trying to do: 


        AuthorizationMap authMap = new 
DefaultAuthorizationMap(Arrays.asList(

          makeAuthorization(">", "", "", ""),

          makeQueueAuthorization("proto.chat.request", "servers", 
"clients", "servers"),
          makeTopicAuthorization("proto.chat.message", "clients", 
"servers", "servers"),
          makeQueueAuthorization("rpc.request.>", "servers", "clients", 
"clients,servers"),
          makeTopicAuthorization("ActiveMQ.Advisory.>", 
"clients,servers", "clients,servers", "clients,servers")

          ));
        AuthorizationPlugin authPlugin = new AuthorizationPlugin(authMap);



  private static AuthorizationEntry makeTopicAuthorization(String 
topicName, String readRoles,

    String writeRoles, String adminRoles) throws Exception {

    return makeAuthorization(topicName, null, readRoles, writeRoles, 
adminRoles);

  }


  private static AuthorizationEntry makeQueueAuthorization(String 
queueName, String readRoles,

    String writeRoles, String adminRoles) throws Exception {

    return makeAuthorization(null, queueName, readRoles, writeRoles, 
adminRoles);

  }


  private static AuthorizationEntry makeAuthorization(String 
destinationName, String readRoles,

    String writeRoles, String adminRoles) throws Exception {

    return makeAuthorization(destinationName, destinationName, 
readRoles, writeRoles, adminRoles);

  }


  private static AuthorizationEntry makeAuthorization(String topicName, 
String queueName,
    String readRoles, String writeRoles, String adminRoles) throws 
Exception {

    AuthorizationEntry auth = new AuthorizationEntry();
    if (topicName != null) {
      auth.setTopic(topicName);
    }
    if (queueName != null) {
      auth.setQueue(queueName);
    }
    if (readRoles != null) {
      auth.setRead(readRoles);
    }
    if (writeRoles != null) {
      auth.setWrite(writeRoles);
    }
    if (adminRoles != null) {
      auth.setAdmin(adminRoles);
    }
    return auth;
  }

Jim

On 5/20/2010 6:21 AM, Jim Lloyd wrote:

Dejan and James,

I'm looking at the JAAS plugins now and yes this approach for deriving the
user and group from a certificate looks pretty clear, and this will save me
a lot of time. Thanks!

Can either of you give me a similar guidance for how I would do the
AuthorizationMap piece? It looks like I can simply implement
AuthorizationMap, but the return type of Set<?>  for the methods seems highly
under-constrained. The comments say that the methods return ACLs, but its
not obvious to me what forms the ACLs take. Looking at
SimpleAuthorizationMap, I see that it is primarily delegating to
DestinationMap, but DestinationMap (and its helper DestinationMapNode,
DestinationMapEntry) is just complex enough that I haven't been able to
figure it out from just browsing the code. I have a hunch that one of you
can give me some quick pointers here that will also save me a lot of time.

Thanks,
Jim


On Thu, May 20, 2010 at 6:13 AM, Dejan Bosanac<de...@nighttale.net>  wrote:


   

Hi James,

thanks for adding this info. I totally forgot to mention activemq-jaas.

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Thu, May 20, 2010 at 8:34 AM, James Casey<jamesc....@gmail.com>  wrote:


     

Hi Jim,

What Dejan has pointed you at is the classes that have all the various
plugin methods for doing Auth in ActiveMQ by inserting a Broker object
into the chain which is called during a connection.  It would be
possible to write a custom Broker subclass here that does what you
want, but I think it would be easier inside JAAS.

What I'd suggest is you use the standard
JaasCettificateAuthenticationPlugin and do the work in a JAAS plugin.

The JAAS plugins are in



       

http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-jaas/src/main/java/org/apache/activemq/jaas

     

.

I would suggest to create a subclass of CertificateLoginModule and
override the getUserNameForCertificate method to extract and return
the CN.  If you look at TextFileCertificateLoginModule.java you can
see the logic it uses to extract the DN and match against entries in
the file - you would just need to write a simpler version which just
pulls out the CN from the client DN. Then you hook it into ActiveMQ
via a login.config file pointing at your custom class.

Let me know if this makes sense or if you need any more info.

cheers,

James.


On 20 May 2010 12:14, Dejan Bosanac<de...@nighttale.net>  wrote:

       

Hi Jim,

the best way is to look at the source code of the current plugin
implementation.

You can find it in org.apache.activemq.security package.

For a quick preview, you can use this URL:



         

       

http://fisheye6.atlassian.com/browse/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/security

     

Cheers
--
Dejan Bosanac - http://twitter.com/dejanb

Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net


On Wed, May 19, 2010 at 2:33 PM, Jim Lloyd<

         

jll...@silvertailsystems.com

     

wrote:


         

I'd like to implement an authorization plugin that would allow me to
implement a fully automatic authorization policy. Here's an outline of

           

what

       

I want:

We have a broker that is a hub in a hub&  spoke topology network of
brokers.
A connections to this hub broker are via SSL and the hub broker

           

requires

     

SSL
client authentication. We require the client certificates to always be

           

of a

       

form where the Common Name (CN) of the certificate defines the user.

           

So,

     

for
example, if we instead used a jaas.TextFileCertificateLoginModule the
user.properties file would look like this:

user1=CN=user1,O=Silver Tail Systems,ST=California,C=US
userFoo=CN=userFoo,O=Silver Tail Systems,ST=California,C=US
...
userZeta=CN=userZeta,O=Silver Tail Systems,ST=California,C=US

Meanwhile, the AuthorizationMap we want would look something like

           

this:

     

<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic=">" read="admins" write="admins"

           

admin="admins"

       

/>
<authorizationEntry topic="user1.>" read="user1" write="user1"
admin="user1"
/>
<authorizationEntry topic="userFoo.>" read="userFoo" write="userFoo"
admin="userFoo" />
...
<authorizationEntry topic="userZeta.>" read="userZeta"

           

write="userZeta"

     

admin="userZeta" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="all" write="all"
admin="all"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>

If we use jaas.TextFileCertificateLoginModule, we have to update the
users.properties, groups.properties file and the authorizationMap in

           

the

     

activemq.xml file every time we add a user. We can automate this with
scripting, but a more elegant solution would be to write our own

           

plugin(s)

       

to implement this policy. I'm in the process of scoping this effort,

           

and

     

so

       

far I haven't found anything other than javadocs on the various

           

classes

     

to

       

guide me. Can anyone provide a high level outline of how I would

           

implement

       

this?

Thanks,
Jim Lloyd
Silver Tail Systems


           

         

       

     

   
























					Reply via email to